Tips on security induction sessions

The Information Security 101 management presentation is coming along ... but I'll need to rein in my enthusiasm for all things yellow to refocus on the information security essentials: one of the challenges with induction training is keeping it within a tight timescale. 'Speak fast!' is not the answer because the audience probably won't take it all in, given that information security is just one of several important induction topics. It's trial by fire for them.

Some of our customers will have more time for induction training than others, so my cunning plan is to make the 101 presentations flexible. Customers who have the luxury of more time can elaborate on pertinent details and interact more extensively with the inductees. Those short of time may want to skim through or skip some of the slides ... but I hope to encourage them all to make the time to introduce inductees to the information security team. Making that personal link starts the long process of getting to know each other, with benefits on both sides as time goes on. For example, it's easier for workers to email, pick up the phone or drop in on someone they have already met, whether to ask a question, raise an issue or simply say "Hi!". 'Putting faces to names' is, to me, part of 'socialising information security', making it an integral part of the corporate culture. 

On that point, I will be encouraging customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.

If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:
  • Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;
  • A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;
  • Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!). 
Another cool idea is to invite inductees to come along to Information Security events and meetings after the induction session - ideally specific, planned events within the next month or two, otherwise any regular or general-access events and meetings ... and in fact that's not a bad idea anyway: these are potentially complementary approaches, not necessarily alternatives.

I have other ideas up my sleeve for making the induction content stickier, more memorable, but that's enough for now.